I have seen a few different discussions but no real solutions
I verified SMB1, hostname, time sync and DNS on the VCSA. Here is what ssoAdminServer.log gives when it fails:
[2018-01-31T16:29:37.496-06:00 pool-4-thread-3 opId=ActiveDirectoryJoinFormMediator-apply-646-ngc:70000180 ERROR com.vmware.identity.admin.vlsi.SystemManagementServiceImpl] user [admin user] cannot access domain [citygov]
com.vmware.identity.admin.server.ims.ServerConfigurationException: user [admin user] cannot access domain [citygov]
at com.vmware.identity.admin.server.ims.impl.SystemManagementImpl.mapException(SystemManagementImpl.java:133) ~[sso-adminserver.jar:?]
at com.vmware.identity.admin.server.ims.impl.SystemManagementImpl.joinActiveDirectory(SystemManagementImpl.java:85) ~[sso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.SystemManagementServiceImpl$2.call(SystemManagementServiceImpl.java:92) ~[sso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.SystemManagementServiceImpl$2.call(SystemManagementServiceImpl.java:81) ~[sso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:160) [sso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.SystemManagementServiceImpl.joinActiveDirectory(SystemManagementServiceImpl.java:81) [sso-adminserver.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_141]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_141]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_141]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_141]
at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:65) [vlsi-server.jar:?]
at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_141]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_141]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141]
Caused by: com.vmware.identity.idm.IdmADDomainException: user [admin user] cannot access domain [citygov]
at com.vmware.identity.idm.server.IdentityManager.joinActiveDirectory(IdentityManager.java:11604) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_141]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_141]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_141]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_141]
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357) ~[?:1.8.0_141]
at sun.rmi.transport.Transport$1.run(Transport.java:200) ~[?:1.8.0_141]
at sun.rmi.transport.Transport$1.run(Transport.java:197) ~[?:1.8.0_141]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_141]
at sun.rmi.transport.Transport.serviceCall(Transport.java:196) ~[?:1.8.0_141]
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:568) ~[?:1.8.0_141]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:826) ~[?:1.8.0_141]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:683) ~[?:1.8.0_141]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_141]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682) ~[?:1.8.0_141]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_141]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_141]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_141]
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283) ~[?:1.8.0_141]
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260) ~[?:1.8.0_141]
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161) ~[?:1.8.0_141]
at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:227) ~[?:1.8.0_141]
at java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:179) ~[?:1.8.0_141]
at com.sun.proxy.$Proxy78.joinActiveDirectory(Unknown Source) ~[?:?]
at com.vmware.identity.idm.client.CasIdmClient.joinActiveDirectory(CasIdmClient.java:3483) ~[vmware-identity-idm-client.jar:?]
at com.vmware.identity.admin.server.ims.impl.SystemManagementImpl.joinActiveDirectory(SystemManagementImpl.java:77) ~[sso-adminserver.jar:?]
... 13 more
What is your vCenter topology here? Is this embedded PSC or external?
it's the Embedded PSC Appliance
Need more information about your configuration if you can provide it.
Could you please try command line , domainjoin-cli , refer below link .
Join ESXi 6.x to Active Directory Using domainjoin-cli - VMARENA
The commands that are in that article give me
bash: ./lwsmd: No such file or directory
bash: /usr/lib/vmware/likewise/bin/domainjoin-cli: No such file or directory:
Edit: After relooking at that article, it is for individual ESXi Hosts and not the VCSA
If I could ask - is joining the domain required so that domain users can authenticate to the vCenter server appliance? If yes then SSO is easier to accomplish and works just fine with 2012 R2 domain functional level:
From my understanding yes, it is required for users to utilize their domain credentials to log in with SSO.
Edited
Sorry, Boyan i had to reread your post to get what you were asking. I can configure it as just an LDAP connection no issue. Its when I configure it for using AD Integration is that it requires it to be part of the domain.
jlove no worries; I'm curious nonetheless, if LDAP would allow domain users to login with their AD credentials then what else does "AD integration" give you? I'm comparing my environment where VCSA is setup as LDAP for SSO and the AD users part of particular AD groups assigned as vCenter admins login using their AD credentials. I never even knew there's "AD integration" other than LDAP and more importantly what is it that it provides if SSO can be achieved without it?
Thanks
I'm guessing the AD Integration is for the Client integration plugin but i'm not sure